Stopping Spam With Linux - page 2

Introduction

May 29, 1999

By
James Andrews

Focus on sendmail

I will be using the sendmail 'Mail Transport Agent' (MTA)' in all my examples. Sendmail is the most widely used MTA on the Internet. It's an old, large, complex and not particularly efficient program. In particular it has a bad reputation for being difficult to configure. Whatever email server program you choose to use, though, blocking spam is still an important issue. The concepts outlined below are applicable to any type of server program. If you already run sendmail, I would recommend upgrading to version 8.9 or higher. There are many new, easy-to-configure antispam features in version 8.9.

Disallow Relay

The most basic thing you should do is prevent your machine from being used as a place from which to send spam. It may be surprising, but the 'Simple Mail Transfer Protocol' that is used by all Internet email gateways does not check passwords or any other sort of access when it is accepting messages for delivery. If a spammer connects to your email server all they have to do is give it a list of addresses, which takes just a few seconds. The MTA then 'fans out' the lists of email addresses into real attempts to connect to remote sites. At the very least you need to stop other people from using your email server from doing their dirty work with your resources.

To prevent this from happening, first you need to make a list of hosts that will be allowed to relay through your server. These would include other machines at your site, perhaps PCs running F{LocalIP} /etc/mail/LocalIPg mail clients under Microsoft Windows. Make a file /etc/mail/LocalIP and then add the line:

F{LocalIP} /etc/mail/LocalIP

anywhere in the top of your /etc/sendmail.cf file and add these lines at the end of the /etc/sendmail.cf file:

This fragment of sendmail configuration file is from the sendmail Web site. There is a lot of detail there on how to get sendmail configured to block spam. So I will just skim over the rest of the methods available and point you there for further practical assistance.

Check For Bad Addresses

The next level of sophistication is to keep a list of addresses and sites to block. For instance if you notice that a lot of junk email is coming in from 'cyberpromo.com' you will want to block that site. The way to do this is with the 'check_mail' rules set. This method will prevent delivery from the sites you list. However, it may be difficult to keep track of where the spam is coming from and time-consuming to maintain a current list of sites that allow spam. Paul Vixie maintains a MAPS Realtime Blackhole List which is accessible via the DNS Server (non-technical explanation: it works from anywhere on the Internet quickly and with minimal fuss) and to use this you only need add a couple of lines to your 'check_mail' rules set.

procmail as MDA

procmail was originally developed to help sort email into folders as it comes in.

If you think this sounds useful in itself, see the excellent man pages 'procmailex' and 'procmailrc' that are installed with the procmail package.

The above discussion has focused on the server. But if you look at the nuisance value of mail from the user's point of view, it is worth filtering out spam email as it arrives. To do this you use the next stage in the email system. This is not the email client that you the user actually run to read the email, but the 'Mail Delivery Agent' or MDA that is used to place the messages in your email spool file as they arrive. The MDA I use is called procmail.

Procmail can easily be configured to block spam at the point of delivery. To do this, first make a list of addresses which your mail is delivered 'To'. By this I mean your email address or addresses and the address of any email lists you might be on. For instance I can take email as james@maths.ex.ac.uk,j.s.andrews@ex.ac.uk and I am also on the list spamsuckers@maths.ex.ac.uk. The idea behind using procmail to filter out spam is to attempt to match on your known addresses and that anything is left after this must be spam. This is a little dangerous in case there is a list or alternate address you have forgotten, but if you lob the spam into a different folder, (procmail can do this) then it is at least hidden away and not polluting your main folder.

Here is a set of procmail 'recipes' that are placed in the .procmailrc for each user, or the /etc/procmailrc for everyone on the machine.

#main address :0: * ^TO_james@maths.ex.ac.uk $ORGMAIL

#alternate address :0: * ^TO_j.s.andrews@ex.ac.uk $ORGMAIL

#list I am on :0: * ^TO_spamsuckers@math.ex.ac.uk $ORGMAIL #doesn't match so it must be SPAM :0 E: spam

This will make a folder called 'spam' containing all incoming messages. Keep an eye on this folder for a while after you have set up the filtering. This is just to check that it is all working as planned, and to tweak the rules as required.